 
  

 






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<html>

<!-- Mirrored from www.javapractices.com/topic/TopicAction.do?Id=137 by HTTrack Website Copier/3.x [XR&CO'2010], Sun, 12 Jun 2011 17:28:07 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8"><!-- /Added by HTTrack -->
<head>
 <title>
  Java Practices -> Repel invalid requests
 </title>
 <link rel="stylesheet" type="text/css" href="../stylesheet8.css" media="all">
 
 <link rel="shortcut icon" href='../images/favicon.ico' type="image/vnd.microsoft.icon">
 <meta name="description" content="Concise presentations of java programming practices, tasks, and conventions, amply illustrated with syntax highlighted code examples.">
 
 <meta name='keywords' content='AbstractRequestParser,DoS,MyReqParam,denial&#045;of&#045;service,java,java programming,java practices,java idiom,java style,java design patterns,java coding conventions,'>
 
 
</head>
 
<body>


<div class='menu-bar'>
 
  <a href='../home/HomeAction.html' title='Table of Contents'>Home</a> |
  <a href='../vote/VoteSummaryAction-2.html' title='View Poll Results'>Poll</a> |
   
  <A href='../feedback/FeedbackAction451f-2.html?Operation=Show' title='Send Your Feedback'>Wiki</a> |
  <b><a href='../source/SourceAction-2.html' title='Grab Source Code'>Source Code</a></b><IMG class='no-margin' SRC="../images/goldstar.gif" ALT=""> |

  <a href='http://www.web4j.com/Java_Web_Application_Framework_Overview.jsp?From=1' title='Free Download - Java Web Application Framework'><b>WEB4J</b></a> |
  
  <a href='http://www.date4j.net/' title='Replacement for java.util.Date'><b>DATE4J</b></a> |

   <a href='../references/ReferencesAction-2.html' title='References'>Links</a>
   
  <form action='http://www.javapractices.com/search/SearchAction.do' method='get' class='search-form'>
   <input type='text' name='SearchTerms' value="" size=12 maxlength=50 class='search'>
   <input type='submit' value="Search">
  </form>
 
</div>

<P>



  

 






<p class="display-messages">

 

 

</p>


<div class="main-layout">
 
   

 




<div class='page-title'>Repel invalid requests</div>

<div class='main-body'>
 
<br>The <a href="http://www.owasp.org/">Open Web Application Security Project</a>
has practical guidelines for implementing a secure web site. The first
item on their list of security concerns is validating requests.
<p>A reasonable approach is to first validate all requests before performing
any other processing. Such checks can include
<ul>
<li>
check for requests whose overall size is unreasonably large (some attacks
send requests with large payloads, in an attempt to overload the server)</li>

<li>
check for unknown parameter <i>names</i></li>

<li>
"sanity checks" for unreasonable parameter <i>values</i>, not expected
during normal operation (for example, text of unreasonably large size,
or a checkbox taking an unexpected value)</li>
</ul>
Early in processing, sanity checks on parameter values may be either complete
or partial validations :
<ul>
<li>
complete - for example, items presented to the user in a static drop down
list, under normal operation, will take only the values defined by the
web application. Any other value constitutes an invalid request (almost
always a hack) which may be given a short, unpolished response, perhaps
in static HTML.</li>

<li>
partial - for example, a free form text area can be checked for size, but
not for detailed content. As a second example, a business identifer can
be checked for textual form, but validating it against the datastore is
not appropriate at this early stage in processing</li>
</ul>
Checks on parameter values might be performed at <i>two</i> stages in processing
- early sanity checks (as described above), and later "business" validations.
For example, if an <tt>Age</tt> is typed into a text <tt>input</tt> control,
the parameter value can be validated in two steps :
<ul>
<li>
first, validate the input can indeed build an <tt>Integer</tt>. This validation
might be performed on the application's behalf by a framework which defines
reasonable policies for converting text into an <tt>Integer</tt>, <tt>Date</tt>,
<tt>BigDecimal</tt>, and so on.</li>

<li>
second, validate the <tt>Integer</tt> is, say, in the range <tt>0..150</tt>.
This sort of validation can only be performed by an application, not by
a framework.</li>
</ul>
This two-step validation style is used in the <a href="TopicAction5f31-2.html">WEB4J</a>
framework. In WEB4J, business validations are performed by a <a href="TopicActiond08d-2.html">Model
Object</a> constructor.
<br>
<br>

</div>




<div class='topic-section'>See Also :</div>
<div class='main-body'>
 
  
  <a href='TopicAction703a-2.html?Id=138'>Parse parameters into domain objects</a> <br>
 
  
  <a href='TopicAction5f31-2.html?Id=188'>A Web App Framework - WEB4J</a> <br>
 
</div>


<div class='topic-section'>Would you use this technique?</div>
<div class='main-body'>
  
  <form action="http://www.javapractices.com/vote/AddVoteAction.do" method='post'>
    Yes<input type='radio' name='Choice' value='Y' >
    &nbsp;&nbsp;No<input type='radio' name='Choice' value='N'>
    &nbsp;&nbsp;Undecided<input type='radio' name='Choice' value="?" >
    &nbsp;&nbsp;<input type=submit value="Vote" >
    <input type='hidden' name='Operation' value='Apply'>
    <input type='hidden' name='TopicId' value='137'>
  </form>
</div>

<div style='height:10.0em;'></div>

 
 
</div>

  

 





<div align='center' class='legalese'>  
&copy; 2011 Hirondelle Systems |
<a href='../source/SourceAction-2.html'><b>Source Code</b></a><IMG class='no-margin' SRC="../images/goldstar.gif" ALT=""> |
<a href="mailto:webmaster@javapractices.com">Contact</a> |
<a href="http://creativecommons.org/licenses/by-nc-sa/1.0/">License</a> |
<a href='../apps/cjp.rss'>RSS</a>
<!-- ukey="2AC36CD2" -->
<!-- ckey="16DF3D87" -->
<br>

 Individual code snippets can be used under this <a href='../LICENSE.txt'>BSD license</a> - Last updated on June 6, 2010.<br>
 Over 150,000 unique IPs last month - <span title='Java Practices 2.6.5, Mon May 16 00:00:00 EDT 2011'>Built with</span> <a href='http://www.web4j.com/'>WEB4J</a>.<br>
 - In Memoriam : Bill Dirani -
</div>

<script src="../../www.google-analytics.com/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-2633428-1";
urchinTracker();
</script>



</body>

<!-- Mirrored from www.javapractices.com/topic/TopicAction.do?Id=137 by HTTrack Website Copier/3.x [XR&CO'2010], Sun, 12 Jun 2011 17:28:07 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8"><!-- /Added by HTTrack -->
</html>
